MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 67ff25062bd960e50c4b3fcfc82c3029aa1e3302fa453c0fecb76176494cc496. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry

Formbook

Vendor detections: 17

Intelligence 17 IOCs YARA 2 File information Comments

SHA256 hash:	67ff25062bd960e50c4b3fcfc82c3029aa1e3302fa453c0fecb76176494cc496
SHA3-384 hash:	73eddc743249e8765f0f5fb5d875f9ac0796d0ca75df90d77ce28e70ad9158315932177196af2832af7e10a69bae69ac
SHA1 hash:	744d895db0c8f43daba1c9706671b75205dad3a1
MD5 hash:	72d5634c564eca040687176cbf55ee18
humanhash:	social-florida-arkansas-bulldog
File name:	DCK-JULY 2023_ORDER #6553DQQW67786TTRMAG.exe
Download:	download sample
Signature	Formbook Create hunting rule
File size:	640'512 bytes
First seen:	2023-07-13 13:43:32 UTC
Last seen:	2023-07-13 14:34:46 UTC
File type:	exe
MIME type:	application/x-dosexec
imphash	f34d5f2d4577ed6d9ceec516c1f5a744 (48'650 x AgentTesla, 19'462 x Formbook, 12'203 x SnakeKeylogger)
ssdeep	12288:7pPkQZgMHj1Qx6cWt7Bcjynjr+QK7JsCp0pTpO/gxG:NBrHD5t7Bc0g7TSAYxG
Threatray	3'551 similar samples on MalwareBazaar
TLSH	T166D412796D794B93C33A5BF12240AB3043FF85EA60B3E3574D8EB0DAA164B548E40B53
TrID	71.1% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13) 10.2% (.EXE) Win64 Executable (generic) (10523/12/4) 6.3% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2) 4.3% (.EXE) Win32 Executable (generic) (4505/5/1) 2.0% (.ICL) Windows Icons Library (generic) (2059/9)
Reporter	James_inthe_box
Tags:	exe FormBook

Intelligence

File Origin

# of uploads :

# of downloads :

281

Origin country :

Vendor Threat Intelligence

Malware family:

formbook

ID:

File name:

DCK-JULY 2023_ORDER #6553DQQW67786TTRMAG.exe

Verdict:

Malicious activity

Analysis date:

2023-07-13 13:44:14 UTC

Tags:

formbook xloader

Link:

https://app.any.run/tasks/d1982028-aa74-4fe8-a0f6-b3ac18597fc3

Note:

ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample

Detection:

Formbook

Link:

https://www.capesandbox.com/analysis/417493/

Detection(s):

SecuriteInfo.com.Trojan.PackedNET.2175.28087.11330.UNOFFICIAL

Result

Verdict:

Malware

Maliciousness:

Behaviour

Creating a window

Sending a custom TCP request

Unauthorized injection to a recently created process

Restart of the analyzed sample

Creating a file

Launching a process

Launching cmd.exe command interpreter

Unauthorized injection to a system process

Verdict:

Malicious

Threat level:

10/10

Confidence:

100%

Tags:

masquerade packed

Link:

https://www.filescan.io/uploads/64afffa358ac422b7cce3865/reports/553f7af3-dd6e-493b-939d-8c28c8133c10/overview

Verdict:

Malicious

Labled as:

Win/malicious_confidence_70%

Link:

https://www.hybrid-analysis.com/sample/67ff25062bd960e50c4b3fcfc82c3029aa1e3302fa453c0fecb76176494cc496

Result

Verdict:

MALICIOUS

Details

Windows PE Executable

Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.

Malware family:

Formbook

Verdict:

Malicious

Link:

https://analyze.intezer.com/analyses/bc248474-9caa-485e-a526-7805ef4a97fe

Result

Threat name:

FormBook

Detection:

malicious

Classification:

troj.evad

Score:

100 / 100

Link:

https://www.joesandbox.com/analysis/1272526

Signature

.NET source code contains potential unpacker

Antivirus detection for URL or domain

C2 URLs / IPs found in malware configuration

Found malware configuration

Initial sample is a PE file and has a suspicious name

Machine Learning detection for sample

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Tries to detect virtualization through RDTSC time measurements

Yara detected FormBook

Behaviour

Behavior Graph:

Download SVG

Detection:

formbook

Link:

https://mwdb.cert.pl/sample/67ff25062bd960e50c4b3fcfc82c3029aa1e3302fa453c0fecb76176494cc496/

Threat name:

ByteCode-MSIL.Trojan.AgentTesla

Status:

Malicious

First seen:

2023-07-13 10:14:51 UTC

File Type:

PE (.Net Exe)

Extracted files:

AV detection:

21 of 38 (55.26%)

Threat level:

5/5

Detection(s):

Suspicious file

Link:

https://check.spamhaus.org/check/?searchterm=m77skbrl3fqokdclh7h4qlbqfgvb4myc7jctyd7mw5qxmskmysla._file

Verdict:

malicious

Label(s):

formbook

Formbook

1da1d27f8c3f4188f1767f87ae85c14e1fda3fa80142af97697864580f1a2397

Formbook

3077abc4b785271fc43389f94cee024de4fd4d3d7f4ada5c569a9aca09374a9d

Formbook

3343ba4097fe8b6b91af0ca46abb0baf6052acf1806571432cc7e9e0ba59fa2a

Formbook

5dc52da7b97835654bab2a3a39e93d412a50608bfd7dfccb87ff716c9aba6a37

Formbook

68f739e8cec56189a152729584f046954f13e32426331970eb755538a8008f1c

Formbook

7ac2e4aad0054c77e7a2205d156da7032021be264702c8fa76eab7ebc44556ff

Formbook

a993e52917b124010519fcf6adb63124d87c0cc594cea58b1dce686bf85d7cf9

Formbook

c9bdb8c092e5af89aacb7feae545fa43da02c84f6ac74a3a60cef3f9076c0ca4

Formbook

f14965866d8a9a8c9a12cb2bef6c0cf53e72cbf7f8f61477b42f7aa4f9b417be

Formbook

+ 3'541 additional samples on MalwareBazaar

Result

Malware family:

formbook

Score:

10/10

Tags:

family:formbook campaign:ed05 rat spyware stealer trojan

Link:

https://tria.ge/reports/230713-q1tdvagh83/

Behaviour

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious use of SetThreadContext

Deletes itself

Formbook payload

Formbook

Unpacked files

SH256 hash:

c2bfe3cf49d8f58f67d038098d05a96a179f655214af343e76e86d4c41efa503

MD5 hash:

3094d31787bddcf36fb1e7c57ed65350

SHA1 hash:

781284b231e8ada8180d4ec18841aa8da79680b0

Detections:

FormBook

win_formbook_w0

win_formbook_auto

win_formbook_g0

Link:

https://www.unpac.me/results/89a44da5-9002-48d1-a586-6912acce170c/

Parent samples :

a993e52917b124010519fcf6adb63124d87c0cc594cea58b1dce686bf85d7cf9
67ff25062bd960e50c4b3fcfc82c3029aa1e3302fa453c0fecb76176494cc496
ee898ae9ed7d7bf404b1a3de63e2f0a0d01a420a08cf15b21294fa6ea0ddc93b
e4072afd21da31150629928a4916d6635fa499bd9ff0f551a0c6d5add6d877b3
5ad354e8575a8c5c293f1fa8a1a25de41078a35c843b330a4b7529ec9b042d9b

SH256 hash:

53f2ad060cf771aa4f197df5789cee95959480c244a0b392bb450c8ce7311d77

MD5 hash:

37e82d3e2864e27b34f5fbacaea759c3

SHA1 hash:

a87024a466e052bff09a170bb8c6f374f6c84c32

Link:

https://www.unpac.me/results/89a44da5-9002-48d1-a586-6912acce170c/

SH256 hash:

4b7195094308f0ad5c7a139565ab9a5e4ca2227072fae66bb5f2d4a0edd51fc5

MD5 hash:

e2a4c335fb0f3b4a27320037978ddc0a

SHA1 hash:

482e79ea377371dd1dea0be9c9498fd214bbf985

Link:

https://www.unpac.me/results/89a44da5-9002-48d1-a586-6912acce170c/

SH256 hash:

3e24c77fe108059f14fe61b8400c5fe023dc2b0ec7c4fe23fa9911681086f7a9

MD5 hash:

a5228b97b33467ac41fac5cac2718252

SHA1 hash:

28bb020c8a53b046fc8e8106f2913e62c5941a0d

Link:

https://www.unpac.me/results/89a44da5-9002-48d1-a586-6912acce170c/

SH256 hash:

67ff25062bd960e50c4b3fcfc82c3029aa1e3302fa453c0fecb76176494cc496

MD5 hash:

72d5634c564eca040687176cbf55ee18

SHA1 hash:

744d895db0c8f43daba1c9706671b75205dad3a1

Link:

https://www.unpac.me/results/89a44da5-9002-48d1-a586-6912acce170c/

Malware family:

FormBook

Verdict:

Malicious

Link:

https://www.vmray.com/analyses/_mb/67ff25062bd9/report/overview.html

Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:	pe_imphash Create hunting rule

Rule name:	Skystars_Malware_Imphash Create hunting rule
Author:	Skystars LightDefender
Description:	imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Delivery method

Other

Cape

https://www.capesandbox.com/analysis/417493/

Comments

Login required

You need to login to in order to write a comment. Login with your abuse.ch account.

No comments found for this malware sample